Malicious hackers have stolen some two million passwords from major online services through browser-based malware called “Pony”.

At least two million user passwords spanning major online services have been compromised, reports security firm Trustwave, and these mostly include accounts on social networks. Majority of the compromised accounts are from Facebook (57 percent), with others comprising Yahoo (10 percent), Google (9 percent) and Twitter (3 percent) accounts. Other networks, like LinkedIn and VK were also identified as targets.

According to Trustwave, the attack came in the form of malware called “Pony”, which steals passwords stored on users’ browsers, or capturing these upon entry, and then collecting the information on a server. A Trustwave spokesperson clarified that the vulnerability was not on the Internet services’ part, as it was “not the result of any weakness in those companies networks.” On the contrary, Pony was a client-based attack, which capitalized on possible social engineering attacks (e.g., possibly by installing itself as a browser extension after a user unsuspectingly clicks on a link).

Facebook has already notified affected users, and has initiated a password change process to help protect these accounts. The perpetrator is not yet known, although Trustwave says the stolen account information was all sent to a server in the Netherlands. The security researchers have been able to access the “command and control” server and retrieve the stolen data from there.

The researchers also found it notable that compromised accounts included those from Russian social networks VK and odnoklassniki.ru, which means the attackers are likely to be targeting this particular audience, as well.

In terms of ensuring the safety of accounts, the security researchers say that password strength and layers of protection — such as 2-step verification processes imposed by Google — can help reduce vulnerability to attacks. Most of the compromised accounts in the Pony attack involved weak passwords.

Trustwave therefore recommends turning on these additional layers, such as secondary access codes generated through an authenticator app or received via SMS, as an added layer against break-ins.